Over 3,280,081 Fortinet Devices Were exposed, with web properties running vulnerable Fortinet devices affected by CVE-2026-24858, a severe authentication-bypass flaw actively exploited in the wild.
The vulnerability, rated 9.4 on the CVSS scale, affects multiple Fortinet product lines, including FortiOS, FortiManager, FortiAnalyzer, FortiProxy, and FortiWeb.
Critical Authentication Bypass Exploited in Active Attacks
CVE-2026-24858 allows threat actors with a FortiCloud account and a registered device to authenticate into other organizations’ devices when FortiCloud SSO is enabled.
While this feature is disabled by default, administrators frequently enable it during FortiCare device registration unless they explicitly toggle off the “Allow administrative login using FortiCloud SSO” option.
CISA added the vulnerability to its Known Exploited Vulnerabilities catalog on January 27, 2026, establishing a remediation deadline of January 30, 2026, the same day as this report.
| Field | Description |
|---|---|
| CVE | CVE-2026-24858 (CVSS 9.4) |
| Issue | Critical auth bypass via FortiCloud SSO allowing cross-account device access |
| Affected Products | FortiOS, FortiManager, FortiAnalyzer, FortiProxy, FortiWeb |
| Vulnerable Versions | Multiple versions across 7.x–8.x branches |
Fortinet confirmed active exploitation on January 22, 2026, identifying two malicious FortiCloud accounts, [email protected] and [email protected], responsible for the attacks.
Threat actors leveraged the vulnerability to download device configurations and establish persistence.
By creating local administrator accounts with familiar names such as “audit,” “backup,” “itadmin,” “secadmin,” “support,” “svcadmin,” or “system.”
In response, Fortinet temporarily disabled FortiCloud SSO on January 26, 2026, and re-enabled it the following day with version-based restrictions blocking vulnerable devices from authentication.
The vulnerability affects a wide range of versions across Fortinet’s enterprise security portfolio.
FortiOS versions 7.6.0 through 7.6.5, 7.4.0 through 7.4.10, 7.2.0 through 7.2.12, and 7.0.0 through 7.0.18 require immediate patching.
FortiManager and FortiAnalyzer share similar vulnerable version ranges, while FortiProxy and FortiWeb face exposure across multiple major releases. FortiSwitch Manager remains under investigation.
Patches are currently available for select branches, with FortiOS requiring upgrades to version 7.4.11 or 7.6.6, FortiManager needing 7.4.10 or 7.6.6, and FortiAnalyzer requiring 7.2.12 or 7.0.16.
According to the Censys advisory, organizations that cannot patch immediately should disable FortiCloud SSO and review all admin accounts for unauthorized users matching attacker-created naming patterns.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
